Pegasus used to spy on protesters, popular actress and dozens more in Thailand, report says


At least 30 Thai citizens were targeted by phone-hacking software Pegasus between October 2020 and November 2021, according to a forensic report by Canadian digital rights organization CitizenLab and Thai NGOs iLaw and DigitalReach. Among the victims were prominent pro-democracy protesters as well as their lawyers and supporters. The hack is the latest in a series of documented uses of Pegasus against personalities from civil society.

NSO Group says it only sells its technology to governments and law enforcement, meaning the most likely perpetrator of the hacks is the elected Thai government, CitizenLab said.

Some of the victims were first alerted to the possible hacks of their devices in November 2021, when Apple pinged their phones, warning them that they may have been targets of state-sponsored attacks. In the report, corroborated by Amnesty International’s Technology Initiative, Amnesty Tech, CitizenLab conducted a forensic analysis of the devices to confirm that the hacks were carried out using Pegasus, a sophisticated tool developed by cyberweapons maker NSO Group, an Israeli company that was blacklisted by the US government Last year.

The CitizenLab report noted that many of the targets were, predictably, leaders of civil society groups. But even people in supporting roles have been targeted.

Among those targeted by Pegasus were prominent pro-democracy activists from FreeYouth, United Front of Thammasat and Demonstration (UFTD) and We Volunteer (WeVo) and their lawyers and supporters, who were targeted during a period of pro-democracy protests. widespread democracy. An anti-government rapper, Dechathorn “Hockhacker” Bamrungmuang; a famous Thai actress, Intira Charoenpura; and a political science professor, Prajak Kongkirati, were also among those attacked.

Thailand’s current administration took power in democratic elections in 2019, but many of its members – including the prime minister – hail from the military junta that replaced the previous government elected in 2014. Thousands Thais took to the streets in waves of protest, and dissent flourished online in the form of taboo-breaking mockery of the royal family. Authorities have arrested dozens of protesters for sedition, insulting the monarchy (lèse-majesté) and under a vaguely worded “computer crimes” law.

The CitizenLab report noted that many of the targets were, predictably, leaders of civil society groups. But even people in supporting roles have been targeted. Lawyers from civil society groups have also been caught in the net, along with fundraisers. Niraphorn Onnkhaow, donations manager for UFTD and administrator of the group’s Facebook page, was infected with Pegasus at least 12 times between February and June 2021.

The report speculates that the attack on Niraphorn may show that the perpetrator attempted to gather information about how the movement was funded and organized. It could have been triggered by specific transactions that would have been known to financial institutions and the Thai government but not to the public, according to the report.

“It … shows that there is non-public knowledge in the targeting, further reinforcing the fact that it would have been part of a larger intelligence operation,” said John Scott-Railton, senior fellow at CitizenLab who co-coordinated. -wrote the report. Rest of the world.

“I can’t think of any cases with rappers or actresses being targeted by Pegasus,” Scott-Railton added.

Pegasus is the only one capable of infecting an iOS or Android device even if the user does not click on a compromised link. The user only has to open a text or email link to unwittingly allow the software download, which then gives the attacker unrestricted access to the target device, allowing them to see messages, emails, contacts and photographs. CitizenLab discovered that Pegasus developers were using zero-day exploits – previously unreported system vulnerabilities – including iOS system weaknesses dubbed Kismet and ForcedEntry, to infect phones in Thailand.

The same day it notified victims of the hacks, Apple decided to sue NSO Group, the second company to do so after WhatsApp launched a lawsuit in October 2019 alleging the group hacked into its server.

Yingcheep Atchanont, executive director of iLaw, a human rights NGO in Bangkok and an advocate for cases related to the protests, was one of those woken up by the ping. CitizenLab researchers showed he was targeted by Pegasus six times in 2021.

Atchanont said Rest of the world he was unsuspecting and isn’t quite sure what the attackers were looking for – although he suspects it could be linked to rumors that his organization was funneling money from foreign donors to the groups of protest.

“Maybe the police or the army are stupid enough to believe this conspiracy theory; maybe they want to look for more information on the budget issue, so they are trying to attack me,” he said. Atchanont thinks there could be many more infected who use non-Apple devices and never received a warning.

Charoenpura, the outspoken actress known for her public support for the protests and her role in fundraising, never received a notification. She said Rest of the world she had thought she was being watched, with plainclothes authorities visiting her family’s cafe, so she temporarily walked away.

Months later, after hearing about other activists receiving notifications from Apple, Charoenpura suspected she might have been a victim. The investigation finally showed that Charoenpura’s phone had been repeatedly infected with Pegasus in April and June 2021.

“Can you imagine? Once I met a stranger wandering around and looking at my house, around 10 or 11 p.m.… With my phone infected, it [has] just took my worry to the next level,” Charoenpura said. Rest of the world.

CitizenLab first observed a Pegasus operator in Thailand in May 2014, then again in 2016, followed by 2018. After six years of tracking Pegasus spyware infections, including samples of Pegasus code collected from infected devices , and the NSO Group’s infection and surveillance infrastructure, CitizenLab was able to identify Pegasus fingerprints associated with installing the spyware on the activists’ iPhones, according to the report.

Civil society groups and global institutions have stepped up efforts to hold spyware companies like NSO Group accountable. In April, the European Parliament launched a commission to investigate the use of Pegasus in EU member states. In the United States, the NSO group has been blacklisted by the Department of Commerce, and the large American defense company L3Harris has just fall his bid to acquire the company’s spyware.

Valuation of the debt of the NSO group continued to decline in response to sour public opinion and especially government action, such as that of the United States, Scott-Railton noted.

“What really matters are the things that make investors realize that they stand to lose everything by investing in spyware and government action,” he said. “These things have significant impacts on the bottom line of spyware companies. And I think that’s probably the mechanism through which we’re trying to slow the global proliferation of this technology.


Comments are closed.